A Primer for Brainstorming Fraud Risks

There are good and bad ways to conduct brainstorming sessions.

AUDITORS MUST INCORPORATE
BRAINSTORMING sessions to
identify fraud risks in the planning
stages of their audits, as mandated by SAS
no. 99, and use them periodically
throughout the process.

INNOVATIVE THOUGHTS ARE
CRITICAL to the generation of
high-quality ideas. Consequently,
leaders should tell team members to
assume there are no constraints to
addressing the issue. Participants will
generate more nontraditional ideas if
they are freed of the mental baggage
that comes with real-world constraints
(for example, time pressures or other
assignments).

IN ADVANCE OF A GROUP’S
MEETING, team members can be
assigned homework that starts their
creative juices flowing. The session
will proceed more smoothly and be more
productive if everyone already has given
thought to possible fraud risks.

LEADERS SHOULD ENCOURAGE
team members to share all ideas
no matter how unusual they seem.
Participants must feel free to speak
openly without fearing a loss of
standing or credibility. Thus, setting a
“zero tolerance” for criticism is
essential.

AGREEING ON KEY
CONCLUSIONS ABOUT fraud risks
will increase the likelihood of
successful application of the group’s
ideas. Leaders should encourage
participants to constructively discuss
and evaluate all of the shared ideas to
arrive at a consensus.

LEADERS SHOULD USE
RECOMMENDED brainstorming
basics and techniques to get the best
results, especially when guiding
engagement team members who are new to
such sessions. All are geared to
encourage participants to generate as
many ideas as possible.

MARK S. BEASLEY, CPA,
PhD, is associate professor of accounting
at North Carolina State University,
Raleigh. He is a member of the AICPA
antifraud committee and education
subcommittee, as well as the Association
of Certified Fraud Examiners. His articles
are widely published in accounting
literature. His e-mail address is
mark_beasley@ncsu.edu . J. GREGORY
JENKINS, CPA, PhD, is assistant professor
of accounting at North Carolina State
University, Raleigh. His articles on
accounting subjects are published in
various academic and professional
journals. His e-mail address is greg_jenkins@ncsu.edu
.

uditors are required by SAS no. 99,
Consideration of Fraud in a Financial
Statement Audit, to conduct a
“brainstorming” session in every audit. Its
purpose is twofold: to consider fraud risks that
may be present and to emphasize the importance of
professional skepticism throughout the entire
audit process. Key members of the audit team—from
the lead partner or manager in charge of the
engagement all the way down to new staff—meet
during the planning stages and during the course
of the audit to exchange ideas about how and where
they believe the entity’s financial statements may
be susceptible to material misstatements due to
fraud and to discuss how management could
perpetrate and conceal fraudulent financial
reporting or misappropriate assets. This article
will discuss how audit team leaders can avoid the
pitfalls inherent in brainstorming sessions and
employ the best practices for maximizing the
benefits.

When carefully planned and
managed, brainstorming can lead to many
high-quality ideas about possible fraud risks
audit team members wouldn’t likely generate
individually. A brainstorming session that ignores
best practices, however, might quickly give way to
inefficiencies and distractions that ultimately
could muddy the audit team’s ability to focus on
relevant fraud risks. That kind of deterioration
can hinder key audit decisions, leading the team
down dangerous paths—for example, to incorrect
conclusions concerning which fraud risks are
present, confusion on how to respond to a
disjointed list of identified risk issues or lack
of “buy-in” to the brainstorming process.

VALUE OF BRAINSTORMING SESSIONS
WResearch has shown
that auditors are much more likely to correctly
identify fraud risk conditions if the audit team
engages in open-ended, nontraditional
considerations of them. Responses from numerous
stakeholders, such as forensic accountants,
internal auditors, external auditors and other
fraud experts, have reaffirmed the benefits of
auditors engaging in such discussions.

The
difficulty auditors face in assessing fraud risks
partially stems from the fact that most of them
have never encountered a material fraud during
their careers; thus, they may be less effective
when assessing fraud risks on their own, which
makes group exploration all the more valuable in
identifying them. A barrier to disseminating
critical information can be the engagement
partner’s or manager’s failure to share
information about a client’s honesty and integrity
with the engagement team. So, in part,
brainstorming sessions prompt the more experienced
auditors to share their insights with less
experienced team members and, in turn, encourage
those who are less experienced but have recent
first-hand knowledge of client processes to
provide their insights to the senior members.

Even though brand-new team members may not have
information specific to the client to contribute,
these sessions provide an excellent opportunity
for them to become familiar with pertinent
information that could affect their professional
skepticism during their first year on the
engagement. And, new team members bring a fresh
perspective to the process by sharing insights
from other client experiences. In any case, the
brainstorming requirement mandates that all key
audit team members must engage in dialogue. (See “
Auditors’ Responsibility for Fraud Detection,
” JofA , Jan.03, page 28, for a
discussion of the brainstorming requirement of SAS
no. 99.)

POTENTIAL PITFALLS
Four common
pitfalls can hinder an audit team’s
brainstorming effectiveness: group
domination, “social loafing,” “groupthink”
and “groupshift.”

Group domination
is one of the most
corrosive problems. Because the goal of
a brainstorming session is to have audit
team members share thoughts and
ideas, one or two participants
dominating the process can quickly
squelch the creative energies of the
group as a whole, reducing the
likelihood the team will identify any
actual fraud risks.

Audit teams
are especially susceptible to this
pitfall because of their traditional
hierarchical structure. Senior team
members may intimidate less experienced
staff who look to them to lead the
discussion. Other team members may defer
to those assigned to lead the audit
planning, believing they have had an
opportunity to think in more detail
about potential fraud risks.
Furthermore, as in any group setting,
there may be one or two vocal
individuals with great confidence in
their own ability and a determination to
present their views. If any of these
conditions are present, the intended
benefits of fraud risk brainstorming—an
exchange of ideas among the entire
team—may never materialize.

Cyber Aids To learn more about
effective brainstorming and
electronic brainstorming
software, see these resources
available on the Internet:

Social loafing, also
called free-riding, is another potential pitfall
of brainstorming activities. It occurs when
participants disengage from the process, expecting
that other team members will pick up the slack.
Given their size and geographic dispersion, large
audit teams may be particularly susceptible. Other
reasons for such “loafing” may include the “why
bother” feelings that stem from group domination,
the absence of compelling incentives to actively
participate in the discussion and an individual’s
failure to make a sufficient personal investment
in the group’s task. It may be that members of the
engagement team are juggling numerous client
engagements or some team members may be working on
a specific aspect of the engagement, such as IT or
tax specialty work and thus may “check out” when
the discussion does not directly address their
specific aspect of the engagement.

Fear of
losing credibility also may prevent individuals
from participating. If individuals feel they need
to protect their standing, they will be less
likely to voice an unpopular idea or opinion. This
may be a problem for less experienced audit staff
members or others recently assigned to the client
engagement. They may feel unqualified to speak
openly about engagement-specific risks or be
reluctant to do so in front of more experienced
engagement team members, who eventually will play
a role in their performance evaluations. Such
self-censuring behavior can hinder a group’s
ability to handle the complex nature of the
fraud-risk-assessment process—the very type of
problem for which “outside the box” thinking is
critical.

Groupthink is another
pitfall to avoid. This phenomenon occurs when team
members become so concerned with reaching
consensus that they fail to realistically evaluate
all ideas or suggestions. Audit teams can be
particularly susceptible to this as auditors
generally are very sensitive to time/budget
pressures. Thus, they quickly may align with the
group’s view of fraud risks in an effort to
complete the task efficiently. Also, because the
brainstorming requirement is new, there may be a
lack of “buy in” that prompts team members to
embrace the group’s views quickly in order to move
to other tasks perceived as being more critical.

Groupshift is the fourth
pitfall. While a purpose of brainstorming sessions
is to help the audit team collectively arrive at
conclusions about fraud risks, team leaders must
exercise caution to avoid allowing the team to
take an extreme position on fraud risk. For
example, a group whose members generally are
conservative might shift toward a more
conservative position while a group of risk-takers
might lean toward even riskier positions. With the
recent emphasis on fraud detection, there is some
cause for concern audit teams will assume the
risks are high in all engagements.

There
are costs of such overreacting. For example, if
there is an overrated risk of fraudulent activity
within inventory, an auditor may expand audit
procedures related to inventory observation,
inventory pricing, and cutoff, leading to
excessive and unnecessary audit work. Worse yet,
an auditor may rush to judgment and accuse client
personnel of wrongdoing without the proper basis
for doing so. Given groupshift’s potential impact
on audit effectiveness and efficiency, all audit
teams should be concerned about it.

BRAINSTORMING BASICS
Brainstorming team
leaders can avoid the pitfalls described above by
following these guidelines.

Assign homework.
The discussion leader should
inform participants well in advance of a
scheduled meeting that they will discuss
fraud risks so each team member can focus
on coming up with ideas about how and
where the entity is susceptible.
Distributing the meeting’s agenda (see the
example) will also provide greater context
for participants to think about possible
fraud risks and will further inform them
about what to expect during the
brainstorming session. Circulating meeting
agendas in advance can be particularly
helpful in larger audit engagements with
several team members. In contrast, a small
firm with only four audit personnel might
not need to circulate an agenda before a
brainstorming session because it has
agreed upon a common agenda to be used
across all engagements.

The leader
should encourage team members to use the
experiences and knowledge obtained
during previous audits and recent
interactions with the client. Also, he
or she should stress that the assignment
should not be overly time-consuming;
members can be formulating ideas as they
perform their day-to-day tasks. Leaders
should ask individuals to come to the
meeting with a list of their ideas. If
leaders believe it would help members
who are shy about speaking at meetings,
the lists prepared in advance can be
discussed or distributed without
identifying the preparer.

Fraud Risk
Brainstorming Meeting Sample
Agenda

Both large and small firms use various forms of
fraud checklists and other assessment tools for
accumulating and assessing fraud risk indicators.
Some firms complete those checklists as part of
the client acceptance or continuance procedures or
just prior to the brainstorming session. Thus,
part of the assigned homework may include
completion of the checklists or other tools in
advance of the meeting. Checklist topics may
provide a useful framework for beginning the
brainstorming discussion. And, the brainstorming
discussion may lead to other useful insights that
help update initial checklist responses.

Establish ground rules.
The leader should establish a strong
foundation for brainstorming sessions by
communicating fundamental ground rules before a
session begins: Do not criticize others’ ideas,
let each person speak, and try to build on others’
ideas. Audit team members should know what to
expect of themselves and others. It is
particularly important that all participants feel
their input is valued and their voice will be
heard. The leader also should make certain that
participants understand how the session will
proceed and how ideas generated during the meeting
will impact the audit.

Some firms schedule
stand-alone meetings to conduct the brainstorming
sessions. This is most common for large or complex
engagements. Other firms allow the brainstorming
discussions to be part of a larger initial
planning meeting, particularly when the audit
engagement is relatively straightforward. When the
sessions are part of a larger meeting, the
engagement leader should ensure that sufficient
time is allocated to this component of the meeting
agenda.

Set the tone. At the
beginning of a meeting, the leader should
genuinely encourage all audit team members,
including less experienced staff, to express any
idea no matter how unusual it may seem. Because
not everyone enters the brainstorming activity
with a similar level of knowledge or experience
with the client or willingness to share ideas
about fraud risk in an open-ended fashion, it is
important to establish a comfortable environment.
There is no substitute for having the engagement
leader stress to the audit team the importance of
the brainstorming session, emphasizing that every
idea is valued and everyone has something to
contribute to the discussion. Demonstrated genuine
involvement by the engagement leader will go a
long way towards setting the stage for all team
members to engage in the activity.

Take a “zero tolerance” stance on
criticism. The leader must make
it clear that no criticism about any issue
presented will be allowed while the group is
generating ideas about fraud risks. Imagine the
reaction of a new staff person whose manager
laughs or rolls her eyes at that individual’s
suggestion. Any perception of criticism can
quickly shut down a team member’s willingness to
participate. Criticism also may negatively affect
the efficiency of the brainstorming activity by
diverting attention from the risk assessment
process to other subjects. With a “zero tolerance
for criticism” expectation, the team is less
likely to fall prey to the pitfalls noted.
Open-mindedness, not conformity, should be the
meeting’s goal.

Encourage more not less.
Participants should make every
effort to generate as many ideas as possible about
how and where the entity may be susceptible to
fraud and how management might conceal its
actions. The greater the number of ideas about
potential fraud risks, the more likely the group
will accurately identify and assess relevant fraud
risks and develop appropriate audit responses to
them. If idea generation about fraud risks within
a particular business process (for example,
inventory management) or account (investments)
begins to wane, the leader should shift the
discussion to another business process
(purchasing) or account (receivables) or rephrase
the current question to get the group thinking
differently. So, if the group is discussing how
receiving personnel might steal
inventory and the brainstorming process begins to
slow, the session leader might ask participants to
think about how purchasing personnel
could misappropriate inventory (for example,
redirecting inventory orders to unauthorized
locations). Reframing issues from different
perspectives can be a valuable technique for
increasing the number of ideas generated about a
particular fraud risk.

Credit the group, not individuals.
It is important for the leader to
assign credit for ideas generated to the group as
a whole rather than to a contributing member.
Recognizing group ownership of ideas is more
likely to increase the team’s interest and its
commitment to its goals than when individuals are
rewarded personally.

Manage group size and composition.
When determining which members to
include in individual brainstorming sessions, team
leaders must not only include the ones who will be
key to the discussion at hand, but also understand
how group size might affect the outcomes. Thus,
the number of people participating in sessions may
vary across an engagement.

The size of the
group affects the structure of the session:
Smaller groups (seven or fewer individuals) tend
to complete tasks more quickly and reduce the
potential for group domination or social loafing;
larger groups (twelve or more individuals), on the
other hand, are better problem solvers and idea
generators because there are more individuals
thinking about fraud risks. However, large groups
tend to deter certain individuals from
participating. Therefore, for some very large
engagements, the leader may find it advisable to
divide the engagement team into subgroups, perhaps
along the client’s business segments, for detailed
brainstorming about fraud risks in those segments.
Later, representatives from each subgroup can
convene to discuss the risks identified at the
segment level and to brainstorm about consolidated
risks.

For example, when engagement
personnel are located in multiple offices, one
national firm conducts an initial brainstorming
conference call with engagement leaders in various
locations working on the client engagement.
Subsequent to that conference call, each local
engagement leader then conducts brainstorming
sessions with his or her engagement personnel.
Fraud risk issues identified in local office
sessions are discussed in a follow-up conference
call involving key engagement leaders from all
offices serving the client.

BRAINSTORMING TECHNIQUES
There are a number of
well-defined brainstorming techniques. Here are
three that team leaders might find appropriate for
auditors.

Open brainstorming is an
unstructured technique auditors can use in which
discussions follow very few rules and procedures.
In this type of brainstorming, individuals share
ideas as they come to mind in a kind of
free-for-all. Although this approach often is
used, it is erroneous to assume that merely
forming a group to share ideas is all one needs to
generate a large number of high-quality ideas
about fraud risks. In fact, if the brainstorming
basics discussed above are ignored, open
brainstorming’s unstructured environment can
result in a degenerating process in which only one
or a few individuals participate.

If audit
teams decide to use this approach, it is best to
have someone not participating in the
brainstorming session record ideas. This might be
a new staff person on the engagement who has
little knowledge about the client’s business and
environment and who will benefit by better
understanding.

Round-robin brainstorming
is a structured technique
characterized by a session that begins with a
period of no talking during which team members
engage in silent “self-brainstorming,” or
“brainwriting,” to form their ideas. The team,
informed of the issues, assigned homework well in
advance of the meeting and knowing they have to
make a list of their ideas in priority order, will
be more responsive to sharing with the group.
After the brainwriting phase, each individual
presents his or her ideas. One way to do this is
to have members post their lists on a wall or
bulletin board for all to see. This can be
particularly useful if people are reluctant to
speak up. And, it is efficient since all
participants share in the process.

Round-robin brainstorming eliminates the
problem of group domination because each team
member has a turn, participation is equal and
otherwise quiet individuals have a chance to
speak. Of course, the structure this method
imposes has a downside—a possible loss in
creativity and spontaneity. Generally, round-robin
brainstorming results in fewer ideas, and group
members may feel less connected to the group’s
mission if there is little time for
“freewheeling.” Consequently, a leader can
increase idea generation and encourage a higher
level of interaction if members are allowed to
express additional ideas after the last individual
has been heard.

Electronic brainstorming
is an increasingly popular technique
that combines open brainstorming with software
technology. Team members are told well before they
gather, either in one room or from remote
locations via an electronic link, to think about
potential fraud risks. Electronic brainstorming
begins when a participant or session leader
presents an idea about a potential fraud risk to
the group. In contrast to round-robin
brainstorming, team members can share ideas as
they come to mind. There is no need to wait for a
turn to “speak” because the technology eliminates
the problem of “talking over one another.”
Specifically, participants silently share ideas by
typing them into a computer, which quickly
displays them on everyone’s monitor or a
projection screen. Some technologies also provide
participants with periodic feedback about the
number and types of ideas to help reduce the
likelihood of social loafing due to the anonymous
and silent nature of this technique. Idea
generation continues until the group has exhausted
all of its ideas. Then the brainstorming software
assists the team with the discussion and
consolidation of its ideas.

Electronic
brainstorming generally shortens meeting
times, increases idea generation and
reduces the possibility of personalizing
ideas because an idea’s author remains
anonymous. Group size ceases to be a
limiting factor as well. Current
technology eliminates many coordination
and communication problems, allowing
reasonably large groups to have virtual
meetings in which participants may or may
not be in the same location as long as
there is access to the appropriate
software. So, this technique may be a tool
for large, multinational client
engagements where audit team members are
globally dispersed.

Of course, there
are disadvantages to electronic
brainstorming. One of the most obvious
is the loss of social interaction; while
face-to-face teams are often less
efficient, the nonverbal cues present in
such settings help build trust and
collegiality among team members. Because
electronic brainstorming allows for idea
generation and sharing in an anonymous
setting, individuals may not receive the
credit they feel they are due.
Consequently, some group members will
feel that there is no incentive to
participate and will coast on the ideas
of others.

CPE: Fraud and
the Financial Statement:
Auditor Responsibilities Under
the New SAS (available in
text, video or DVD).

For information about these
products or to place an order,
go to
www.cpa2biz.com or call
1-888-777-7077.

BRAINSTORMING TAKEAWAYS
Ultimately, the
information gathered during the brainstorming
session should be combined with that obtained
through other planning activities to identify the
risks of material misstatements due to fraud.
Thus, before leaving the brainstorming session,
team members need to clarify, refine and achieve
consensus on conclusions about initial fraud risk
ideas.

Some firms have the team classify
fraud risks in one of two categories: risks
affecting the overall engagement and risks
affecting a specific account or class of
transactions. Other methods of summarizing fraud
risks involve classifying them along the three
conditions of the fraud triangle of
incentive/pressure , opportunity
, and rationalization/attitude . By
grouping ideas related to these three concepts,
the team will be focusing on conditions that
ultimately may indicate high fraud risk. That is,
the team may be more likely to identify areas in
which incentives are excessive and opportunities
exist for individuals whose attitudes enable them
to rationalize fraud.

The engagement
leader should assign someone responsibility for
documenting the results of this discussion and any
necessary follow-up procedures. For example, if
the audit team believes there is an increased risk
of fraud related to the client’s revenue
recognition, it will document that additional
targeted procedures will be performed, which might
include specific analytical procedures for revenue
accounts by product line, inquiries of sales and
operations personnel about side agreements, or
specific revenue cut-off procedures at year-end.

The
risks identified and the related responses
must be documented in the audit files
along with information about how and when
the brainstorming discussion occurred, the
audit team members who participated and
the subject matter discussed. The sample
meeting agenda on page 36 provides a nice
starting point for documenting this
information in the audit files. An audit
file memo or spreadsheet-based summary
from the brainstorming meeting that
categorizes information along the three
components of the fraud triangle can be
updated and modified as further fraud risk
information is gathered through other SAS
no. 99 information-gathering activities
(for example, inquiries of management,
consideration of fraud risk factors and
performance of analytical procedures). A
spreadsheet that contains columns of
auditor responses alongside the columns
for each of the fraud conditions
identified can easily organize the key
conclusions drawn from the brainstorming
session.

PRACTICAL
TIPS TO REMEMBER

Keep in mind that
many auditors have never
encountered a fraud in their
clients’ businesses and may
need encouragement to explore
the subject.

As with any group
dynamic, there will be people
who want to take over and
others who will let them do
it. The team leader has to
strike a balance between them.

The leader should
be prepared to try different
techniques to elicit ideas
from a group.

Leaders should
set clear ground rules and the
tone for the group.
Participants are more likely
to generate high-quality ideas
if they know what is expected
of them and understand the
rules of the activity.

A word of caution is appropriate. While certain
aspects of the team’s planned audit responses will
be evident to management, the session leader
should emphasize to team members that there is a
need to avoid disclosing information about such
responses to preserve the confidentiality of the
auditor’s procedures. For example, a surprise
inventory count would lose much of its value if
management were to know in advance of its timing
and location.

Audit teams should also make
certain their consideration of fraud uses a closed
loop. One firm that we spoke with completes the
loop this way: A brainstorming session is held
during planning to identify fraud risks and
develop procedures to address them. Then, during
the wrap-up phase of the audit, a fraud checklist
is completed to ensure no risks were overlooked
and that appropriate procedures were performed. Of
course, the loop is not complete unless everyone
on the audit team is aware of the brainstorming
session and its outcome. So, be sure to provide
the results of the session to any team members who
do not attend the session. Written memos can be
circulated among team members or links to
electronic audit files can provide easy sharing of
key fraud risk information among engagement team
personnel.

WHICHEVER TECHNIQUE WORKS
Auditors no longer
have a choice of whether to brainstorm about the
possibility of fraud; SAS no. 99 requires them to
do it. Brainstorming sessions can generate ideas
about how and where fraud can occur, but they must
be carefully planned and managed to ensure their
effectiveness. Several easy-to-use brainstorming
basics and implementation techniques can go a long
way to avoid potential pitfalls. Regardless of the
approach taken, it is vitally important that the
audit team engage in an open and free exchange of
ideas about where fraud may be present and how the
audit team can respond .

When professionals prepare written material for readers inside their organization or outside, they should make sure that no errors distract from the message they need to convey. Take this short quiz for practice in subject-verb agreement.